Chief security officers (CSOs) complained at the Black Hat USA 2009 conference that they spend too much time doing jobs relating to regulation, and that doing so is detrimental to security.
"The security industry is beholden to do things that are not effective due to audits and regulation," said John Stuart, CSO at Cisco.
"I stopped paying attention to intrusion detection system logs. I don't care how many times we get attacked. Now I spend time looking at traffic leaving the company to find what's infected. It took nine months to convince the auditors about this."
Stuart added that each task had to be measured on efficacy. If he is asked to do something that reduces his efficiency he finds another "sucker group" within the company to do the job.
Bob West, founder of security intelligence firm Echelon One, agreed with Stuart. "I could spend a whole lot of time on compliance, but I wouldn't be spending it doing my security job," he said.
Companies need to analyse the compliance issues that need to be addressed and remove them from the CSO's job where possible. This frees up the CSO to get on with the job of protecting the company.